[CheckSec : Checking security properties of binary]
Link: https://github.com/slimm609/checksec.sh
Check by file path : ./checksec --dir=/folder1/folder2
Check by directory path : ./checksec --file=/folder1/binary
RPATH
Checking RPATH :objdump -p /binary | grep -i rpath
readelf -a /binary | grep -i rpath
Compiling with RPATH :
gcc -Wl,-rpath=/binary program.c
Removing RPATH :
patchelf --remove-rpath /binary
Changing RPATH :
patchelf --force-rpath --set-rpath "New-Rpath" /binary
chrpath -r 'New-Rpath' /binary
Stack Canary
Compiling with Stack Canary :
gcc tmp.c -fstack-protector-all
Checking if Stack Canary is enforced :
readelf -s a.out | grep -i stack_chk
Demo :
[root@linux]# gcc tmp.c -fstack-protector-all
[root@linux]# readelf -s a.out | grep -i stack_chk
1: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __stack_chk_fail@GLIBC_2.4 (2)
50: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __stack_chk_fail@@GLIBC_2
Compiling without Stack Canary :
[root@linux]# gcc tmp.c
[root@linux]# readelf -s a.out | grep -i stack_chk
Note : No output returned. By default gcc does not enforce stack canaries.
Symbols (linker symbols)
Checking if symbols are present :
readelf --symbols a.out | grep -i symtab
file a.out | grep -i "not stripped"
Demo :
[root@linux]# gcc tmp.c
[root@linux]# readelf --symbols a.out | grep -i symtab
Symbol table '.symtab' contains 65 entries:
[root@linux]# file a.out
a.out: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=be5bf11b01830b497087943a285d6f4e3f74a24e, not stripped
Removing symbols from compiled binary:
strip a.out
Demo :
[root@linux]# strip a.out
[root@linux]# readelf --symbols a.out | grep -i symtab
[root@linux]# file a.out | grep -i "not stripped"
Compiling without symbols :
gcc -s tmp.c
Demo :
[root@linux]# gcc -s tmp.c
[root@linux]# readelf --symbols a.out | grep -i symtab
[root@linux]# file a.out | grep -i "not stripped"
Symbols (debug symbols)
TODO
PIE
Compiling with PIE :
gcc -pie -fPIE tmp.c
Checking if PIE is enabled :
./checksec --file=a.out
PIE vs PIC : https://mropert.github.io/2018/02/02/pic_pie_sanitizers/
RELRO
https://medium.com/@HockeyInJune/relro-relocation-read-only-c8d0933faef3
Compiling with Full RELRO : Recommended, but can increase the program loading time.
gcc -Wl,-z,relro,-z,now tmp.c
Compiling with Partial RELRO : Ok
gcc -Wl,-z,relro tmp.c
Compiling without RELRO : Not Ok
gcc -Wl,-z,norelro tmp.c
Checking RELRO :
./checksec --file=a.out
https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro
RELRO is a generic mitigation technique to harden the data sections of an ELF binary/process. Using full RELRO has a slight performance impact during application startup (as the linker has to populate the GOT entries before entering the main function).
Fortify
https://access.redhat.com/blogs/766093/posts/1976213 https://stackoverflow.com/questions/13517526/difference-between-gcc-d-fortify-source-1-and-d-fortify-source-2
Compiling with Fortify :
gcc -D_FORTIFY_SOURCE=2 -O2 tmp.c
Checking :
./checksec --file=a.out
Find string in all files of given directory
grep -r "find_me" /directory/
[Windows]To search every file in the given directory and all subdirectories that contained the word "password", regardless of the letter case
findstr /d:C:/Users /i "password" *.*
Process Tree
List all process tree :
pstree -a -lnp
Demo :
[root@linux /]# pstree -a -lnp
systemd,1 --switched-root --system --deserialize 21
|-systemd-journal,482
|-lvmetad,504 -f
|-systemd-udevd,517
|-auditd,615
| |-{auditd},616
| `-audispd,617
| |-sedispatch,622
| `-{audispd},623
|-dbus-daemon,642 --system --address=systemd: --nofork --nopidfile --systemd-activation
|-ModemManager,647
| |-{ModemManager},671
| `-{ModemManager},686
|-VGAuthService,648 -s
|-systemd-logind,653
|-avahi-daemon,654
| `-avahi-daemon,673
List process tree of only given user :
pstree -a -lnp root // Here "root" is provided username.
List process tree of only given PID (parent process id) :
pstree -a -lnp 0 // Here "0" is provided process id.
Process Files (libraries, IP sockets, folders, etc)
List all files (libraries, IP sockets, folders, etc) opened by given process ID :
lsof -p 3259
Demo:
[root@linux /]# lsof -p 3259
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
command1 3259 root cwd DIR 253,0 4096 2640063 /dir/bin/binary
command1 3259 root rtd DIR 253,0 4096 2 /
command1 3259 root txt REG 253,0 2865976 2640066 /dir/bin/binary
command1 3259 root mem REG 253,0 111080 399214 /usr/lib64/libresolv-2.17.so
command1 3259 root mem REG 253,0 27776 394567 /usr/lib64/libnss_dns-2.17.so
command1 3259 root 0r CHR 1,3 0t0 1031 /dev/null
command1 3259 root 3u unix 0xffff880035cf5800 0t0 8591925 socket
command1 3259 root 4u a_inode 0,9 0 5880 [eventpoll]
List all processes that are using given file/folder (libraries, IP sockets, folders, etc) :
lsof /directory
Demo:
[root@linux /]# lsof /dir/bin/
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
command1 26859 username1 cwd DIR 253,0 4096 2640065 /dir/bin
command2 26880 root cwd DIR 253,0 4096 2640065 /dir/bin
lsof /directory/binary
Demo :
[root@linux /]# lsof /bin/bash
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ksmtuned 731 root txt REG 253,0 960472 396293 /usr/bin/bash
bash 31491 root txt REG 253,0 960472 396293 /usr/bin/bash
Trace System Call
strace -f ./binary
strace -s 1000 -f -p 30500
strace -f -s 1000 -p 30500 -e execve
// -f makes sure child/forked processes also gets traced
// -e execve, here "-e execve" tells strace to only display "execve" system calls, use "-e" to filter any system calls.
// -p 30500, here 30500 is process Id
// -s 1000, here 1000 is the size of lines returned, default is 32
Trace System Call [without memory,thread,etc related syscalls]
strace -f -s 100000 -p `pgrep ProcessName` 2>&1 | egrep -v "mmap|fstat|close|seek|fcntl|mprotect|futex|brk|dup|sched_get_priority|getrlimit|rt_sig|munmap|epoll|select"
Lists IP sockets
List Process Id, IP, Port, Command, Username:
lsof -i -n -P
Demo :
[root@linux /]# lsof -i -n -P
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 36u IPv4 13982 0t0 TCP *:23 (LISTEN)
chronyd 730 chrony 1u IPv4 16356 0t0 UDP 127.0.0.1:323
sshd 31483 root 3u IPv4 10068735 0t0 TCP 10.10.10.10:22->20.20.20.20:51109 (ESTABLISHED)
Monitor network traffic
Trace all traffic of process dynamically:
strace -s 1000 -f -e trace=network -s 10000 curl http://rakeshmane.com/xss.js 2>&1 | egrep "connect.\*port|send|recv"
Trace all traffic of already running process dynamically:
strace -s 1000 -f -e trace=network -s 10000 -p 1222 | egrep "connect.\*port|send|recv"
// Here 1222 is the running process pid.
// -f makes sure child/forked processes also gets traced
// Note : Strace can reveal the unencrypted traffic
Todo :
Try to improve the regex, bcz if program uses other system calls than connect,send,recv then our grep will fail.
Demo :
[root@clm-pun-tt7ctg /]# strace -s 1000 -f -e trace=network -s 10000 curl http://rakeshmane.com/xss.js 2>&1 | egrep "connect.*port|send|recv"
[pid 32106] connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("170.1.1.1")}, 16e) = 0
[pid 32106] sendto(3, "\231T\1\0\0\1\0\0\0\0\0\0\nrakeshmane\3com\0\0\1\0\1", 32, MSG_NOSIGNAL, NULL, 0) = 32
[pid 32106] recvfrom(3, "\231T\201\200\0\1\0\1\0\0\0\0\nrakeshmane\3com\0\0\1\0\1\300\f\0\1\0\1\0\2\240\2\0\4\271\307o\231", 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("170.1.1.1")}, [16]) = 48
connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("185.199.111.153")}, 16) = -1 EINPROGRESS (Operation now in progress)
sendto(3, "GET /xss.js HTTP/1.1\r\nUser-Agent: curl/7.29.0\r\nHost: rakeshmane.com\r\nAccept: */*\r\n\r\n", 84, MSG_NOSIGNAL, NULL, 0) = 84
recvfrom(3, "HTTP/1.1 200 OK\r\nContent-Type: application/javascript; charset=utf-8\r\nServer: GitHub.com\r\nLast-Modified: Thu, 28 Nov 2019 07:07:53 GMT\r\nETag: \"5ddf7249-17\"\r\nAccess-Control-Allow-Origin: *\r\nExpires: Sun, 01 Dec 2019 09:52:57 GMT\r\nCache-Control: max-age=600\r\nX-Proxy-Cache: MISS\r\nX-GitHub-Request-Id: 8F14:5528:21912D:2704AB:5DE38B20\r\nContent-Length: 23\r\nAccept-Ranges: bytes\r\nDate: Sun, 01 Dec 2019 09:46:18 GMT\r\nVia: 1.1 varnish\r\nAge: 200\r\nConnection: keep-alive\r\nX-Served-By: cache-bom18222-BOM\r\nX-Cache: HIT\r\nX-Cache-Hits: 1\r\nX-Timer: S1575193578.213355,VS0,VE0\r\nVary: Accept-Encoding\r\nX-Fastly-Request-ID: 1bf99f6ba097a7cdfbe1e716257ac0c2b3a7e443\r\n\r\nalert(document.domain)\n", 16384, 0, NULL, NULL) = 676
Trace packets for only particular host and port :
ASCII Format :
tcpdump -i ens192 -nn -ttt -vvv -A tcp and \(host 172.28.1.1 and port 2222\) -s0
HEX Format :
tcpdump -i ens192 -nn -ttt -vv -XX tcp and \(host 172.28.1.1 and port 2222\)
Save packets to file instead of displaying :
tcpdump -i ens192 -nn -ttt -vv -XX tcp and \(host 172.28.1.1 and port 2222\) -w filename.txt
-s0 // Size of the packet to capture. -s0 will set the size to unlimited.
-nn // Don't convert ip and port to names.
-ttt // Show human redable timestamp
-vv // Full protocol decode
-i // interface
dst // destination host
dst port // destination port
-A // Show packets in ASCII format
-XX // Show packets in Hex format
-w // write to file
Demo :
[root@clm-pun-tt7ctg tmp]# tcpdump -i ens192 -nn -ttt -vvv -A tcp and \(host 172.28.1.1 and port 2222\) -s0
tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
00:00:00.000000 IP (tos 0x0, ttl 64, id 53190, offset 0, flags [DF], proto TCP (6), length 60)
10.1.1.1.18407 > 172.28.1.1.2222: Flags [S], cksum 0xd429 (incorrect -> 0x8536), seq 2427819228, win 29200, options [mss 1460,sackOK,TS val 2877053722 ecr 0,nop,wscale 7], length 0
E..<..@.@...
.?....HG.............r..).........
.|[.........
00:00:00.043323 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 64)
172.28.1.1.2222 > 10.1.1.1.18407: Flags [S.], cksum 0xdf6a (correct), seq 3472861540, ack 2427819229, win 65535, options [mss 1346,nop,wscale 6,nop,nop,TS val 877091469 ecr 2877053722,sackOK,eol], length 0
E..@..@.;.k....H
.?...G....d.........j.....B.......
4GZ..|[.....
00:00:00.000109 IP (tos 0x0, ttl 64, id 53191, offset 0, flags [DF], proto TCP (6), length 52)
10.1.1.1.18407 > 172.28.1.1.2222: Flags [.], cksum 0xd421 (incorrect -> 0x1db8), seq 1, ack 1, win 229, options [nop,nop,TS val 2877053766 ecr 877091469], length 0
E..4..@.@...
.?....HG..........e.....!.....
.|[F4GZ.
00:00:00.035585 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 52)
172.28.1.1.2222 > 10.1.1.1.18407: Flags [.], cksum 0x166a (correct), seq 1, ack 1, win 2063, options [nop,nop,TS val 877091505 ecr 2877053766], length 0
E..4..@.;.k....H
.?...G....e.........j.....
4GZ..|[F
00:00:02.120325 IP (tos 0x0, ttl 64, id 53192, offset 0, flags [DF], proto TCP (6), length 57)
10.1.1.1.18407 > 172.28.1.1.2222: Flags [P.], cksum 0xd426 (incorrect -> 0x2341), seq 1:6, ack 1, win 229, options [nop,nop,TS val 2877055922 ecr 877091505], length 5
E..9..@.@...
.?....HG..........e.....&.....
.|c.4GZ.test
00:00:00.035541 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 52)
172.28.1.1.2222 > 10.1.1.1.18407: Flags [.], cksum 0x059c (correct), seq 1, ack 6, win 2063, options [nop,nop,TS val 877093646 ecr 2877055922], length 0
E..4..@.;.k....H
.?...G....e...............
4Gc..|c.
00:00:05.206518 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 63)
172.28.1.1.2222 > 10.1.1.1.18407: Flags [P.], cksum 0x0014 (correct), seq 1:12, ack 6, win 2063, options [nop,nop,TS val 877098829 ecr 2877055922], length 11
E..?..@.;.k....H
.?...G....e...............
4GwM.|c.test-reply
00:00:00.000126 IP (tos 0x0, ttl 64, id 53193, offset 0, flags [DF], proto TCP (6), length 52)
10.1.1.1.18407 > 172.28.1.1.2222: Flags [.], cksum 0xd421 (incorrect -> 0xe401), seq 6, ack 12, win 229, options [nop,nop,TS val 2877061164 ecr 877098829], length 0
E..4..@.@...
.?....HG..........p.....!.....
.|x,4GwM
Port forwarding
Forward port 1111 to 2222:
socat tcp-l:1111,fork,reuseaddr tcp:127.0.0.1:2222
Monitor SSL/TLS Traffic [sslsplit]
Generate keys:
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
Listen on 0.0.0.0:443 and forward to 192.168.0.5:443 [autossl = Auto TCP+SSL/TLS]:
./sslsplit -D -l connections.log -j logs -S logdir/ -k ./ca.key -c ./ca.crt autossl 0.0.0.0 443 192.168.0.5 443
Intercept (Request+Response) SSL/TLS Traffic [mitm_relay]
Tool : https://github.com/jrmdev/mitm_relayGenerate keys:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -outform pem -out server.pem -subj "/CN=*.acmecorp.com"
Listen on 0.0.0.0:8444 and forward to target.com:8445, send all request + response to HTTP proxy on to 127.0.0.1:8080 for interception (modification of data) :
python mitm_relay.py -r 8444:target.com:8445 -c server.pem -k private.key -cc server.pem -ck private.key -p 127.0.0.1:8080 -l 0.0.0.0
Start Burp Suite on 127.0.0.1:8080 to intercept request and response.
Intercept Mobile apps (Request+Response) SSL/TLS Traffic [Flutter Apps / Apps does not support system proxy]
Tool : https://github.com/iphelix/dnschefConfigure the Mobile DNS server to 192.168.31.58 and Start the DNSchef:
dnschef.py -i 192.168.31.58 --fakedomains example.com --fakeip 192.168.31.58
Configure IPtables for routing traffic
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
Start Burp Suite on 127.0.0.1:8080 to intercept request and response.
Alternate to burp suite you can use Socat to capture the traffic with self sign certificate
socat -v openssl-listen:8443,cert=example.cert,key=example.key,verify=0,reuseaddr,fork tcp4:localhost:6500
socat -v tcp4-listen:6500,reuseaddr,fork ssl:example.com:443,verify=0
Auto Intercept TCP + SSL/TLS Traffic [sslsplit + mitm_relay]
Note : It would auto handle TCP & SSL/TLS Traffic :
Listen on 0.0.0.0:443 and forward to proxy-host:443 :
./sslsplit -D -l connections.log -j logs -S logdir/ -k ./ca.key -c ./ca.crt autossl 0.0.0.0 443 proxy-host 443
Listen on proxy-host:443 and forward to target-host:443 :
python mitm_relay.py -r 443:target-host:443 -c server.pem -k private.key -cc server.pem -ck private.key -p 127.0.0.1:8080 -l 0.0.0.0
[Sysinternal : https://docs.microsoft.com/en-us/sysinternals/downloads/]
- List processes :
wmic process [Also lists path of executable]
tasklist
POWERSHELL > Get-Process
- Check file permissions :
cacls filename
icacls filename
C:\Program Files\> cacls .\filename.exe
CLM-TLV-SRLWNQ\patrol:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
- Adding new local user (In "Users" group):
net user userName Password /add
- Running cmd (or other program) as other user :
runas /user:rakesh cmd
- List files opened by a process [SysInternal-Handle]:
handle -u UserName
// -u UserName will only show processes running as UserName user.
- Finding string from files and strings :
dir | findstr exe
findstr /i "rakesh" *
// /i => case insensitive match
// * match all files in current directory